I think I have found where the caller principal is being populated: org.jboss.security.plugins.JaasSecurityManager.updateCache(...). It appears what occurs is that once a user authenticates, a DomainInfo object is created and stored in the login domain's cache. The DomainInfo object is assigned the Subject for the authenticated user which is a copy of the Subject created by the authentication process.
The caller Principal is then manually assigned to the DomainInfo object by searching the original Subject for a Group called "CallerPrincipal" and if found taking the first Principal object in the Group. If no such Group is found and the Principal can't be reused from the cache, the first non-Group Principle found in the Subject's set of Principals is assigned to the DomainInfo object. It seems (with the code from 4.0.5 GA at least), that unless you add the CallerPrincipal Group in your module(s), it doesn't matter if you specify the custom class in your login config... despite using instances of your Principal class in the login modules, the code that calls the JaasSecurityManager.isValid() authentication code from the web container passes in an instance of SimplePrincipal org.jboss.web.tomcat.security.JBossSecurityMgrRealm(line 491). At JaasSecurityManager.updateCache() (line 778) the manager has a non-null principal so the test fails and the subject is not scanned for the principal as previously described (if it did it would yield the custom principal), instead, it uses the SimplePrincipal passed in from the web container. So, to make a long story short... make sure you include a Group named "CustomPrincipal" with the custom principal added to it. Otherwise, you'll always get the SimplePrincipal passed in from the tomcat side. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4115135#4115135 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4115135 _______________________________________________ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
